Home
 » ISP News » 
Sponsored

Google, UK ISPs and Gov Battle Over Encrypted DNS and Censorship

Monday, April 22nd, 2019 (9:49 am) - Score 8,716
blocked uk website parental control

The UK Government, broadband ISPs and the National Cyber Security Centre (NCSC) are set to meet on the 8th May 2019 in order to discuss Google’s forthcoming implementation of encrypted DNS (DoH – DNS over HTTPS), which politicians fear could break their internet censorship plans.

The existing Domain Name System (DNS), which works to convert Internet Protocol (IP) addresses into a human readable form (e.g. 123.56.32.1 to examplefakeblah.co.uk) and back again, is currently unencrypted and usually managed automatically by your ISP. This gives providers a lot of control over related traffic and enables various support features (Parental Controls, network performance testing etc.).

By comparison DNS over HTTPS (DoH) sends DNS requests via the encrypted HTTPS protocol and some major website browsers, such as Chrome (Google) and Firefox (Mozilla), are planning to introduce their own DoH solution. The result could be that ISPs lose a lot of their control over DNS, which would break some of their services including DNS based website blocking (e.g. the new porn site blocks will use DNS based censorship).

At this point we should remind readers that ISPreview.co.uk covered this topic in a lot more detail earlier this month (here), which is worth a read if you want to understand why the big ISPs have concerns about DoH; despite it effectively being a security improvement for consumers.

According to The Sunday Times, the Government are particularly concerned about the impact that all of this could have on their wider plans for internet censorship (i.e. not just breaking their porn block but also disrupting future ambitions under the Online Harms White Paper).

One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage (note: they can already do this without DoH), which they say might be held by Google under Californian law.

At this point we rather suspect that a collective “meh..“, possibly followed by some distinct shoulder shrugging, will be emanating from anybody with moderate I.T. experience. This is because DNS based blocking has always been easy to circumvent and consumers have always had the ability to adopt a third-party DNS provider (OpenDNS, Google Public DNS etc.).

One key difference here, other than encryption, is that Chrome and Firefox could make their own DoH solutions the default (so far neither have done so – it’s still optional, for now). Similarly if third-parties want to adopt DoH then there’s precious little that ISPs can do about that, save for perhaps making more extensive use of expensive Deep Packet Inspection (DPI) technology, but even this has its limits and problems.

Meanwhile the question that consumers may end up having to ask themselves is whether or not they’d rather let ISPs have access to their DNS data or Google/Mozilla. It’s also worth considering that many other third-parties may launch their own default DoH solutions in the future, which may further complicate matters. Some of the DNS based support features offered by ISPs are also quite useful, thus breaking them with DoH isn’t always desirable (likely to give ISP support teams a complex headache).

Suffice to say, it would be interesting to be a fly on the wall at next month’s meeting.

Add to Diigo
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
31 Responses
  1. Avatar Joe

    “One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage ”

    Nice juxtaposition. The gov want to monitor browsing habits but fane outrage at others theoretically doing the same. While google data collection might be a risk doubtless others will deliver anonymised E-DNS

    • Avatar CarlT

      There are quite a few things we permit government to do but would resist handing over to the private sector.

    • Avatar Joe

      That might be true but there is hypocracy in the gov attacking the privacy issues with private dns while wanting to breach the same privacy.

    • Avatar CarlT

      Not really. That’s what government does. You pay your taxes to government that’s normal, another private citizen tries to tax you that’s extortion.

      It’s actually quite legitimate to be concerned about Google processing data under California state law. UK and EEA entities have to obey GDPR.

      It’s pretty rich coming from the state that’s second only to China in CCTV per capita but is not unreasonable.

    • Avatar Joe

      In most cases the Gov is bound by the same data regs as private entities. It just doesn’t like it which is why it so regularly loses court cases by breaching data protections.

      Not that I’m a fan of GDPR – its monumentally dim legislation.

    • Avatar D

      I’d rather Google has my data than UKgov. UKgov has no interest in anything other than a token effort to secure our data. They are acting how a fascist state does, taking your privacy and your voice in the interests of security in a manner akin to using a nuke to crack a nut – it is that proportional.

      Google / Alphabet has a vested interest is protecting your data and their entire business model is intrinsically tied to it being secure.

      Let’s see who we should trust here? a government with a lousy track record for record keeping, corruption and inane decisions to cripple freedom and privacy, or do we trust a major business who’s entire business model is entirely and exclusively about keeping your data secure from 3rd party access and a track record to prove it?

      I know where my data is safest and the current law changes are no different to Tony Blair when he tried to kill off habeas corpus and the Bill of rights in an attempt to weaken our freedoms and rights.

  2. Avatar Mike

    Anything that inhibits state overreach can only be a good thing.

  3. Avatar CarlT

    If filters are based around Cleanfeed and equivalents encrypted DNS isn’t really worth that much.

    That tech uses IP addresses to select traffic for further inspection and DPI on that subset can be used.

    If someone is accessing a site whose certificate indicates it is pornography it’s a fair bet the site in question is pornographic. This can be done in less than 10 packets per flow.

    Can hide the DNS, can’t hide the Common Name in the certificate.

  4. Avatar Karen Cookson

    I think this article covers a lot of the conundrums
    http://www.circleid.com/posts/20190407_dns_privacy_at_ietf_104/

    Perhaps if the browsers give the users an ability to choose a different DoH resolver, then a lot of peoples concerns of “all in the hands of Google” would be somewhat dissipated.

  5. Avatar Numpty Power

    Given the fact history in this country shows when ISPs and our government lose private information of job public or worse when it comes to government security information and equipment and it then takes them ages to admit it, i know who i would sooner have my “browsing habits and device usage” information out of them and Google.

    Sure the likes of Google and the like also stuff up but they actually try to fix things when things go wrong.

    I would not trust Talk Talk and their previously hacked systems or BT and its history of Cleanfeed and similar with no notification (only admitting it when caught out).

    As for our own inept governments of the past 30 or so years who have as some highlights have lost hundreds of computers and left things like documents about Al-Qaida and Iraq on a train. The government even trying to convince me this is about security in any way, rather than them controlling the internet is laughable.

    “…Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage”

    Perhaps whoever that clown was should be more concerned about departments like the MOD, who regularly lose ammunition, computers, phones, explosives and detonators. YES really folks.

    My only hope is Google do not go all Snowflake as they do too often and cave to whatever stupid demands our government make.

  6. Avatar Bob2002

    If people are genuinely concerned about DNS records being collected they should probably set their router up to use a VPN anyway – decent VPN providers are pretty cheap so there isn’t really much of a barrier to doing this.

  7. Avatar Moses Jonson

    I’d none of them had my data like that, UKgov will abuse that data and google well google is google, ut to be perfectly clear, what the Ukgov is trying to pull off (in the end will fail). We’ll have to wait and see how this whole process will play out (looks like a pandora box mess) waiting to explode on the table of UkGov, just like universal credit.

  8. Avatar Andy M

    Don’t know about Chrome’s implementation yet but Firefox uses Cloudflare for DoH resolution. Therefore this doesn’t give Mozilla any more visibility of users DNS requests than it did before, as is being implied here that they would be handling the DNS requests in DoH. Cloudflare’s DNS server is also known for making privacy a priority.

    • Avatar Some

      Cloudflare loves Privacy? Ha-ha… Microsoft loves Linux, I remember.
      Try to use Tor to love Cloudflare and Privacy at the same time.

  9. Avatar Freman

    There are already ways to hide this traffic, but won’t somebody please think of the children?!?!!!

    Typical BS and rhetoric from the government.

    There exists tools to let you mix your ISP and 3rd party DNS solutions so you can have secure DNS for 99 percent of everything and keep your ISP’s DNS magic for whatever they’re providing if you want.

    If you have nothing to hide, you’ve got nothing to fear, right? Well how about the government let us check out their DNS queries?

    • Avatar Jordan

      They are claiming terrorists and pedophiles won’t be as easy to track but they already aren’t as the clever ones will be using tools to hide their online activity including VPN. People have always stood by and accepted the government’s excuse that they need to monitor and record internet traffic, invading privacy to prevent crime, when most of the criminals are invisible already as they are the ones using VPN and other secure means of access.

  10. Avatar Mr Hardon

    A random thought: surely a browser defaulting to its own encrypted dns would also break internal DNS services

  11. Avatar CarlT

    I’ll be keeping an eye on Pi Hole’s progress in this regard. It’s served me beautifully at home so far.

  12. Avatar t0m5k1

    Could not care less and TBH, I’m glad they’re in a tailspin over it as it shows how clueless they really are to all this.

  13. Avatar Mml

    Looks like Sky already acted and blocked ANY third-party DNS in its latest Hub firmware update. What do you say?

  14. Avatar Gregory Sabin

    BT have said on there messaging service that ipv6 is not supported for consumers I am using my own billion bipac 8800nl router on adsl can anybody tell me if what bt have said is correct I had entered the Google open fans settings in the advanced settings but when I tested it it said no ipv6 found

  15. Avatar Gregory Sabin

    I meant Google open dns sorry

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £18.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: HYPER19
  • Vodafone £21.00
    Avg. Speed 35Mbps, Unlimited
    Gift: Amazon Echo Plus
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Origin Broadband £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • SSE £23.00 (*33.00)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2435)
  2. FTTP (2051)
  3. FTTC (1617)
  4. Building Digital UK (1560)
  5. Politics (1363)
  6. Openreach (1357)
  7. Business (1197)
  8. Statistics (1060)
  9. FTTH (992)
  10. Mobile Broadband (988)
  11. Fibre Optic (952)
  12. Ofcom Regulation (895)
  13. Wireless Internet (875)
  14. 4G (862)
  15. Virgin Media (828)
  16. Sky Broadband (581)
  17. EE (568)
  18. TalkTalk (561)
  19. Vodafone (487)
  20. Security (400)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact